Lateral movement in a Domain Network has its own rules.
Patient Zero
to total compromise in only one jump.
Lateral movement attacks are connections from a domain-connected host to a targeted Domain-connected host using valid, stolen account credentials (e.g. user or service account).
Infected Laptop
The source host
(patient zero)
is usually a compromised system in the targeted domain environment.

In most cases, this host is compromised via a spear-phishing attack that contains a malicious attachment or a link to a site under the attacker’s control. Once compromised, the attacker usually takes control of the host through a callback to a command-and-control server and a reverse shell. After elevating privileges, the attacker can then dump credentials stored in this compromised host and use them to connect to another host.
A domain environment is a unique form of network: one connected endpoint or server is exposed by design to all resources including users and administrators, enabling attackers to move laterally at ease.
Consequently, lateral movement is a two-step attack as follows:
1. Capture credentials from a source host.

The attacker can capture any valid credentials. The credentials are usually obtained through specialized tools that access Windows credential storage or memory and misuse of NT hash and Kerberos credentials.

The attacker can potentially steal any credentials stored in the compromised system that are still in use or were used in the past (e.g. cached credentials) and have not been wiped from memory. The most valuable credentials are the privileged accounts of the targeted domain (especially if the password is reused or the password generation algorithm is predictable), such as help desk, domain admin, privileged service account, and local administrator account.

2. Use stolen credentials to access other hosts or resources.

Once the credentials are stolen, the attacker can use them to access another resource, such as a host or a server (e.g. Exchange email accounts). The attacker can use techniques like pass-the-hash or pass-the-ticket with NT hash or Kerberos ticket accordingly.

A few relevant facts regarding lateral movement in a Domain Network:
Lateral movements are not limited to workstation access; they can be used to connect to other resources such as a mailbox on an Exchange server or any business system server.
Lateral movements use standard protocols like Kerberos and NTLM protocol, which makes it impossible to create a single dedicated Windows event or network IDS ruleset to detect them.
One of the advantages of the lateral movement attack is that the attacker can capture credentials and use them later.
Lateral movements are not Windows-specific problems as any authentication protocol using single sign-on has the same issue. Any single sign-on solution requires storing credentials in some valid format, so they can be reused to authenticate to other services without re-entering the password each time.
What happens after a lateral movement?

Once attackers get a foothold on a domain machine, they obtain 100% visibility. From this point, they can take control of the entire organization in one lateral movement jump and potentially all domain credentials in two jumps. This common methodology is stealthy and almost impossible to detect with conventional solutions.

After getting a foothold on a domain machine, the attacker’s first objective is to map out all of the high privileged identities in the network. With a few queries to the Active Directory that do not require a high privileged user, attackers can get a fully updated list of all administrators, their username, their activity, etc. and start to hunt them down internally.

By using Invoke-StealthUserHunter, the attacker issues one query to get all users in the domain, extracts all servers from user.HomeDirectories, and runs a Get-NetSessions against each resulting server. Because the attacker is not touching every machine as with Invoke-UserHunter, this traffic will be more concealed.

After getting a domain admin on the first jump, the second jump is accessing the Active Directory and dumping NTDS.DIT to get all of the domain credentials.

We designed AD|Protect with this in mind
The only effective detection solution to such a threat is one that can detect attackers on their first move. AD|Protect can detect the first lateral movement attempt in a domain environment with
99.34% accuracy
Request a Demo